`oci_append` tries to write back to `base_image` which is weird and incorrect

chainguard-dev / terraform-provider-oci

Terraform provider to perform OCI image operations

https://registry.terraform.io/providers/chainguard-dev/oci

Mozilla Public License 2.0

12 stars 10 forks source link

`oci_append` tries to write back to `base_image` which is weird and incorrect #19

Open mattmoor opened 1 year ago

mattmoor commented 1 year ago

oci_append.site: Creating...
╷
│ Error: Unable to push image
│ 
│   with oci_append.site,
│   on service.tf line 14, in resource "oci_append" "site":
│   14: resource "oci_append" "site" {
│ 
│ Unable to push image, got error: PUT https://gcr.io/v2/mattmoor-chainguard/apko-hugo-cloudrun/manifests/sha256:d983e9ebe396bdbb1a035aed87fa4e30551188393349ad54cbaaab4c5aaf388c: DIGEST_INVALID: Manifest digest
│ "sha256:95bd4706afe03ac83a251988698f0b87edc1f8ac47276c3077a6849c5b5ee719" does not match expected digest "sha256:d983e9ebe396bdbb1a035aed87fa4e30551188393349ad54cbaaab4c5aaf388c".

mattmoor commented 1 year ago

Ok, so the actual problem here is that oci_append attempts to write the resulting image back to base_image, and I was passing the base image by digest.

This is a sort of design flaw we should think through because it makes it impossible to append to a base image from a public source, but explains the error!

imjasonh commented 1 year ago

crane append has similar semantics, but it has other options to make it not that way:

if base_image is not configured, we can simply append to scratch and produce an image that's just the given contents
if repo is configured, we push to that repo instead of pushing over base_image's
crane append will also tag, but we should keep that as a responsibility of oci_tag.